DejaNET Communications - Welcome To Our New Site!
curve468x60

Home Web Hosting  Web Design  E-Mail Accounts  ISP Accounts  Satellite E-Cards Alerts Chat News World Time

"Order ID: 37679041" Scam Virus/Trojan
SPECIAL ALERT
October 13, 2006 - MUSKEGON, MI - DejaNET Communications today received an email with the subject "Order ID : 37679041".  The email looks VERY similar to an email confirmation about a recent laptop purchase from a major retailer.  The email goes on to state that an Order Summary is attached to the email and is an abode.PDF file.  Unsuspecting recipients of this email masy be concerned that they are a victim of identity theft and will open the attachment to find out more info.

The problem is that the attachment is in .zip format and once unzipped, it is actually an .EXE file and NOT really a .PDF file as stated in the fake email.  Opening the .EXE file is what actually executes and sets off this virus/trojan.  Once executed, the computer is compromised in many ways.

This email contains a virus/trojan and anyone receiving this email or any variant should not open the attachment, nor should it be forwarded to others.  Simply delete it immediately. 

The email and virus/trojan combination was first found on the Internet on October 10, 2006.

VIRUS ALIASES:
The virus goes by the names Backdoor.Haxdoor.R (Symantec Norton Antivirus), Haxdoor.NJ (Panda Antivirus), BackDoor-BAC!55436 (McAfee), and Backdoor.Win32.Haxdoor.lf (Kapersky Antivirus).

An exact copy of the email received by DejaNET Communications is shown in full below (minus full header info and the attachment itself):

START OF EMAIL
------------------------------------------------
Fri Oct 13 05:56:59 2006
From: customercare@circuitcity.com
Subject: Order ID : 37679041
MIME-Version: 1.0
 

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader. 
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site. 

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!
 

Content-Type: application/x-zip-compressed; name="order_37679041.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="order_37679041.zip"
 

--------------------------------------------------
END OF EMAIL

This email is a hoax and contains a virus/trojan in the attached file.

Delete it immediately and do not pass it on to others.  As long as you DO NOT open and EXECUTE the attachment, nothing has happened to your system nor has anything been ordered and billed to you.  If you DID hapen to open the attachment WITHOUT ALREADY HAVING an antivirus program (with updated definitions since October 10, 2006) in place that did not immediately halt/delete the virus, you should immediately change all of your passwords that have been saved on your computer as well as any not saved on your computer that you may heve used since October 10, 2006 and install an antivirus program with updated definitions in order to remove the virus completely from your system. Symantec, Panda, McAfee, Trend, and others also provide free online virus scanning.  Read on below to see what files were dropped and/or modified by this virus/trojan.  Google one of those antivirus terms to find a free online scanner if also needed.

---------------------------------------------------------------------------------

INDICATIONS OF AN INFECTION - FROM SYMANTEC (Norton Antivirus):

Once executed, Backdoor.Haxdoor.R performs the following actions:
 

  • Drops the following files: 

    •      %System%\ydsvgd.dll 
         %System%\ydsvgd.sys 
         %System%\ycsvgd.sys 
         %System%\qo.dll 
         %System%\qo.sys

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
     

  • Creates the following files to store stolen information:

    •      %System%\shsvga.bin 
         %System%\gsvga.bin 
         %System%\mnssvgas.bin 
         %System%\lps.dat 
         %System%\ttsvga.dat 
         %System%\t001f.exd 
         %System%\wagfola4w.dat
     
  • Hides all of the above files using a rootkit. 

    •  
  • Creates the following services:

    •      ycsvgd 
         ydsvgd
     
  • Creates the following registry subkeys, which are related to the above services:

    •      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsvgd
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ydsvgd
     
  • Creates the following registry subkey:

    •      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YCSVGD
     
  • Creates the following registry subkey on computers running Windows NT/2000/XP so that it is executed every time Windows starts: 

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd
     
  • Creates the following registry subkeys so that it runs in safe mode: 

    •      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys
     
  • Deletes the value:

    •      "Start" = "[NUMBER]"
    from the registry subkey:
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    to disable the Windows Security Center.
     
  • Adds the value:

    •      "EnforceWriteProtection" = "0"
    to the registry subkey:
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
    to disable Microsoft DEP write protection.
     
  • Hides its presence by injecting the following file into the Explorer.exe:

    •      %System%\ydsvgd.dll
     
  • Opens a back door on a random TCP port. The remote attacker can then perform the following actions on the compromised computer: 

    •      Download files 
         Execute programs 
         Control the device driver of the rootkit 
         Steal passwords stored in Protected Storage 
         Steal cached passwords by calling WNetEnumCachedPasswords API 
         Steal the Miranda IM password 
         Gather dialup connection information 
         Check if WebMoney application is installed on the compromised computer 
         Steal ICQ passwords 
         Log keystrokes 
     
  • Sends information, such as the port used by the back door, Windows version information, etc, to an attacker by sending a query to the following URL:

    •      [http://]www.grci.info/bsrv[REMOVED]
     
  • Sends an email containing the stolen information to a predetermined email address.


    • INDICATIONS OF AN INFECTION - FROM PANDA SOFTWARE (Panda Antivirus):

    Haxdoor.NJ carries out the following actions:
     

  • It logs the keystrokes typed by the user.

    •  
  • It attempts to obtain the login account passwords by accessing the SAM file, where the hashes of the usernames and Windows passwords are stored.

    •  
  • A hash is the text string obtained when a function is applied to a certain text. The resulting text string is generally shorter than the original one and it is used basically for security reasons or to index databases.

    •  
  • It obtains the passwords from the following programs:

    •      Web mail
         ICQ
         Miranda
         MSN
         Outlook Express
         The Bat!
         Web Money
     
  • It monitors if the user accesses web pages, which belong to any of the following domains:

    •      ebay
         e-gold
         paypal

    If the user accesses any of them, Haxdoor.NJ uses the rootkit detected as Rootkit/Haxdoor.NJ in order to log any information entered by the user. This way, Haxdoor.NJ obtains confidential information about the user, such as passwords.

  • Additionally, this rootkit opens three random ports, so that its author obtains the data that has been gathered.
  • It ensures that it is run whenever Windows is started by inyecting code into the Windows process called Explorer.exe.


    • INDICATIONS OF AN INFECTION - FROM MCAFEE (McAfee Antivirus):
     

  • Upon execution, BackDoor-BAC!55436 drops the following files:


    •      %Windir%\%SysDir%\qo.dll           --> Detected as BackDoor-BAC.dll
         %Windir%\%SysDir%\qo.sys          --> Detected as BackDoor-BAC.sys
         %Windir%\%SysDir%\ycsvgd.sys   --> Detected as BackDoor-BAC.sys
         %Windir%\%SysDir%\ydsvgd.sys   --> Detected as BackDoor-BAC.sys
         %Windir%\%SysDir%\ydsvgd.dll    --> Detected as BackDoor-BAC.dll
     

  • Creates the following registry entries to auto start the trojan at windows logon.


    •      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd 

         "DllName" = "ydsvgd.dll"
         "Startup" = "XWD33Sifix"
     

  • Registers its rootkit component to start as a service:


    •      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ycsvgd
         "PTA Adapter" = "%Windir%\%SysDir%\ydsvgd.sys"

         HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\Ydsvgd
         "PTA Adapter32" = "%Windir%\%SysDir%\ycsvgd.sys"
     

  • Creates the following registry entries to enable the trojan to start even in windows safe mode.


    •      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys
         HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys
     

  • Open a backdoor on TCP port 16661 which allows a remote attacker unauthorized access.

    •  
  • Additionally it opens two random TCP ports on an infected computer.

    •  
  • Rootkit component:

    • "ydsvgd.sys" is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe
     
  • The following NTXXX functions are replaced with pointers to the rootkit code:

    •      NtOpenThread
         NtOpenProcess
         NtCreateProcess
         NtQueryDirectoryFile
         NtQuerySystemInformation
     
  • When the rootkit is loaded, it hides files that contain any of the following strings: 

    •      gsvga.bin
         lps.dat
         mnsvgas.bin
         qo.dll
         qo.sys
         shsvga.bin
         shsvga.bin
         t001f.exd
         ttsvga.dat
         wagfola4w.dat
         ycsvgd.sys
         ydsvgd.dll
         ydsvgd.sys
     
  • "ydsvgd.dll" is the password stealing and notification component of this trojan. 
  • Passwords for the following applications are captured:

    •      AutoComplete passwords in Internet Explorer
         Password-protected sites in Internet Explorer
         IM and Dialup connection passwords
     
  • It injects itself into explorer and logs all key strokes and active window titles into the following file:  %Windir%\%SysDir%\kps001.sys


    • -------------------------

    You can read more about this virus/trojan by visiting the following links below:

    Backdoor.Haxdoor.R - Symnatec Security Response

    McAfee Virus Profile: BackDoor-BAC!55436

    Malware being spammed as PDF from retail stores - Spyware Confidential - ZDNet.com

    qo - qo.dll - DLL Information - WinTasks DLL Library

    Haxdoor.Fam Threat Details - Counter Spy Research Center
     

    Backdoor.Win32.Haxdoor.lf - Viruslist.com (Kapersky Labs) 

    -----------------------------

    A search on Google for the term "37679041" currently returns over 47 pages with info relating to this scam : Search Now

    A search on Google for the term "WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99" currently returns over 12 pages with info relating to this scam : Search Now

    -----------------------------

    BLOCKING TIPS

    If you have a router and/or email program will allow you to filter/block by domain name, then setup a new filter to block the domain name: "grci.info" (without the quotes).

    If your email program will allow you to filter/block by subject, then setup a filter to block "Order ID : 37679041" (without the quotes).

    If your email program or server itself (Cpanel will do this - go to email filters) will allow you to block by email body content, then setup a filter to block all emails containing within the body "WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99" (without the quotes).

    Last Modified: 10/13/2006
    Copyright © 1996-2006 DejaNET Communications